Deprecated - Potential Password Spraying of Microsoft 365 User Accounts

Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/01"
 3integration = ["o365"]
 4maturity = "deprecated"
 5deprecation_date = "2025/01/17"
 6updated_date = "2025/01/17"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
12minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
13obtain unauthorized access to user accounts.
14"""
15false_positives = [
16    """
17    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
18    positives.
19    """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts"
26note = """This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d)."""
27risk_score = 73
28rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
29severity = "high"
30tags = [
31    "Domain: Cloud",
32    "Data Source: Microsoft 365",
33    "Use Case: Identity and Access Audit",
34    "Tactic: Credential Access",
35]
36timestamp_override = "event.ingested"
37type = "threshold"
38
39query = '''
40event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
41event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1110"
49name = "Brute Force"
50reference = "https://attack.mitre.org/techniques/T1110/"
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
57
58[rule.threshold]
59field = ["source.ip"]
60value = 25

This rule has been deprecated in favor of Attempts to Brute Force a Microsoft 365 User Account (26f68dba-ce29-497b-8e13-b4fde1db5a2d).

Related rules

to-top